laurentsimon
laurentsimon
See https://github.com/slsa-framework/slsa-github-generator/issues/2035#issuecomment-1564275318 JReleaser is a "super app" and needs an exception
We may also verify that the material marked with `annotation.source: true` is the same. Could be dangerous since some builders may provide multiple "source" entries. So maybe only use the...
We may want to provide an option to verify https://github.com/slsa-framework/slsa-github-generator/issues/1555 This is only needed for generators
also add tests for the 3 possible values of the default CLI builder ID.
We use this function to match the inputs to a workflow https://github.com/slsa-framework/slsa-verifier/blob/main/verifiers/internal/gha/slsaprovenance/common.go#L12. We seem to always look at the trigger workflow's input. We may want to change this for our...
This will be important when we develop the API, since the API may be used as part of a verification service.
we currently don't verify the cert in the bundle is the same as the one in the rekor entry, we only verify the signatures are the same https://github.com/slsa-framework/slsa-verifier/blob/main/verifiers/internal/gha/bundle.go#L175-L183 We should...
use scorecard, allstar, for example. Record all settings changes, etc